The present invention relates to a random number generating, encrypting, and decrypting apparatus, a method thereof, a program thereof, and a recording program thereof.
In recent years, as the Internet and mobile communication have been more widely used, the importance of protection of digital information has become stronger. As a cryptographic technology, the common key system that uses the same secret key for an encrypting process and a decrypting process is known. The common key system is categorized as block cipher and stream cipher.
FIG. 1A describes the block cipher. Information bit sequence of plain text is divided by a predetermined length (into blocks). An encrypting apparatus 1 encrypts each block. Likewise, cipher text is divided into blocks.
On the other hand, as shown in FIG. 1B, in the stream cipher, random numbers generated by an encrypting apparatus (random number generator) 2 are operated on an information bit sequence bit by bit so as to generate cipher text.
In the stream cipher, when bit sequences of plain text are denoted by ml, m2, m3, . . . and so forth, bit sequences of random numbers are denoted by r1, r2, r3, . . . and so forth, and bit sequences of cipher text are denoted by c1, c2, c3, . . . and so forth, the encrypting process is performed by ci=mi ⊕68 ri (where ⊕ represents an operation of mod. 2; i=1, 2, 3, . . . and so forth). The decrypting process is performed by mi=ci⊕ri (where ⊕ represents an operation of mod. 2; i=1 2, 3, and so forth).
The transmission side and the reception side need to generate common random numbers. If random number sequences and random number generation patterns are known, they can be easily decrypted. Thus, safe cipher random numbers used for cryptographic applications need to be statistically uniform. In addition, future random number sequences need to be difficult to be estimated with past random number sequences.
Generally, the steam cipher is performed faster than the block cipher. When large amount of data such as video data are encrypted and transmitted in real time, the stream cipher is more suitable than the block cipher. In addition, the circuit scale for the stream cipher is often smaller than that for the block cipher. Thus, although block ciphers such as DES (Data Encryption Standard), AES (Advanced Encryption Standard), and so forth have been standardized, the stream ciphers have been widely used.
However, since RC4 ((Rivest Cipher) 4 Stream Cipher) that has been widely used has a weak key, disadvantage against the use of WEP (Wired Equivalent Privacy Protocol), and a bias of an output, it has been academically disputed on its safety. In addition, since RC4 was designed for software, its encryption speed has a restriction. Thus, it can be said that safe and high speed stream cipher dedicated for hardware is needed.
On the other hand, in recent years, cryptographic algorithm that uses chaos, which has been studied in the field of nonlinear dynamics, has been widely studied. However, most of these studies are based on mapping dynamical systems. In contrast, cryptographic algorithms that use cell automaton (referred to as CA) whose state, time, and space are all discrete dynamical systems, are not widely known. The CA is suitable to be embedded in hardware because of its structure. The CA is expected to accomplish high speed stream cipher. Stephen Wolfram has proposed a stream cipher using rule 30 of one-dimensional, two-state, three-neighbor cell automaton in “Adv. Appl. Math. Vol. 7 (1986) 123-169,” “Lecture Notes in Computer Science Vol. 218 (1986) 429-432,” and so forth.
FIG. 2 shows the structure of cryptographic algorithm using CA. Input information data (plain text) are input as a one-bit stream to an exclusive OR circuit (hereinafter sometimes referred to as EX-OR gate) 3. A key stream that is a one-bit stream is input from a CA core 4 (random number generator) to an other input of the EX-OR gate 3. The EX-OR gate 3 outputs cipher text. A secret key and a clock are input as initial values to the CA core 4. The CA core 4 generates random numbers.
The one-dimensional, two-state, three-neighbor cell automaton represents that cells are arranged on a one-dimensional lattice, that each cell has a state value that is 0 or 1, that the state value of each cell at the next time (hereinafter sometimes referred to as time step) is given by a function (rule) that depends on only the state value of the own cell and the state values of both neighbors, and that the state value of each cell is synchronously updated by the function. In other words, the state value of each cell is expressed by the following formula (1).Sit+1=F(Si−1t,Sit,Si+1t)  (1)
where S with i and t represents the state of i-th cell at time step t.
Stephen Wolfram searches for a rule that generates a random sequence in the range of the one-dimensional, two-state, and three-neighbor CA and shows that the rule 30 is the best pseudo random generator. The state update rule of the rule 30 can be expressed by the following formula (2).Sit+1=Si−1t⊕Si t⊕Si+1t⊕Sit·Si+1t  (2)
where ⊕ represents an addition of mod. 2.
Formula (2) can be represented in Booleans algebra by the following formula (3).Sii+1=Si−1tXOR(Si tOR Si+1t)  (3)
FIG. 3 is a schematic diagram showing cells arranged in coordinates whose vertical axis represents time (t) and whose horizontal axis represents cell numbers (i). In FIG. 3, the state of the shaded i-th cell, for example, the sixth cell, is used as a key stream.
Stephen Wolfram conducted statistic tests for seven types of bit sequences that the CA rule generates and checked whether they have randomness. However, he only checked randomness of several bit sequences. Thus, the evaluation results for a pseudo random number generator that he conducted is not sufficient.
As a random number evaluation test for cryptographic applications, NIST (National Institute of Standards and Technology) has disclosed RNG testing to the public (NIST Special Publication (SP) 800-22, A Statistical Test Suite for Random and Pseudo random Number Generators for Cryptographic Applications). FIG. 4 shows NIST's 16 types of test items.
In the NIST's test, p-value of an n-bit sequence is obtained. p-value is the possibility of which a logically perfect random sequence generator generates a bit sequence having lower randomness than the input n-bit sequence. In this case, “lower randomness” means that the characteristic quantity under test deviates from the mean value.
When the obtained p-value is equal to or larger than α, this state is referred to as “success.” This evaluation is performed for m samples. The success rate and the uniformity of p-value are evaluated. When p-value is uniform and the success rate is in a predetermined range whose center value is 1-α, this state is referred to as “the test is “passed.” Test results vary slightly depending on an initial value (a secret key given to the CA core). Thus, each test is performed with several initial values. In the following example, tests are performed with n=106, α=0.01, and m=1000. FIG. 5 shows parameters used in each test.
FIG. 6 shows test results of RC4 (256-bit key). FIG. 7 shows test results of the CA rule 30. Each graph shows two test results obtained with different initial values. In the graphs that show the test results, the horizontal axis represents test types and the vertical axis represents success rates. The region surrounded by upper and lower lines represents a pass region. In the CA, a cell number is fixed and a bit sequence is chronologically sampled. The number of cells is for example 1000.
As is clear from FIG. 6, in the RC4, the uniformity of p-value of all tests is passed. In one template of the seventh test item (Non-overlapping Template Matching Test), the success rate always deviates from the range. In the seventh test, with 148 types of templates, pattern matching is performed. The success rate of each type is calculated. Depending on an initial value, the success rate of the tenth test item (Lempel Ziv Compression) deviates from the pass range. Thus, in the RC4, several tests are not passed.
As is clear from FIG. 7, in the CA rule 30, depending on an initial value, the third test item (Runs Test), the fifteenth test item (Random Excursions), and the sixteenth test item (Random Excursions Variant) are not passed. More seriously, the uniformity of p-value of the tenth test item (Lempel Ziv Compression) is lost. This means that characteristics of bit sequences are biased. Thus, there is a possibility of which bit sequences can be distinguished from random sequences.
Since only one bit of information is used at one time step, even if the number of cells (gates) is increased, the cryptographic process speed cannot be increased.